Restricting Type Access to High-Trust Components

1. In a computerized environment including one or more application programs that may or may not be trusted, and an operating system having one or more type data structures, a method of restricting access by the one or more application programs to the one or more type data structures, comprising the acts of: executing one or more application programs in a lower-privilege mode in a first address space associated with one set of permissions; receiving one or more requests from the one or more application programs for type information corresponding to one or more type data structures in a memory location; processing the one or more requests in order to validate at least one request via one or more kernel mode components operating in a second address space associated with a different set of permissions; for the validated request, passing type information corresponding to the validated request into a shared memory heap, wherein the one or more application programs can access the type information without accessing the type data structures of the operating system; and for the validated request, passing a value that is accessible to the one or more application programs, wherein the value is associated with the type information in the shared memory heap.

2. The method as recited in claim 1 , wherein the one set of permissions of the first address space are set to read-only with respect to the shared memory heap.

3. The method as recited in claim 2 , wherein the one set of permissions indicate that there is no access by any component in the first address space to the memory location.

4. The method as recited in claim 1 , wherein the different set of permissions of the second address space are set to read/write with respect to the shared memory heap.

5. The method as recited in claim 4 , wherein the different set of permissions indicate that there is read/write access by any component in the second address space to the memory location.

6. The method as recited in claim 1 , further comprising an act of receiving the one or more application requests via an exception dispatcher component.

7. The method as recited in claim 6 , wherein the exception dispatcher causes an exception to a lower-privilege mode runtime upon identifying that the one or more user requests require processing by a higher-privilege mode component.

8. The method as recited in claim 1 , further comprising the acts of: receiving one or more new requests from the one or more application programs for the type information in the shared memory heap, wherein the one or more new requests include the value; and processing the one or more new requests in accordance with the one set of permissions for the first address space.

9. The method as recited in claim 1 , further comprising the acts of: receiving a new request from the one or more application programs for different type information; and identifying that the different type information is already present in the shared memory heap.

10. The method as recited in claim 9 , wherein the value is a pointer that refers to the different type information that is already present in the memory heap.

11. In a computerized environment including a memory, an operating system having one or more type data structures, and one or more application programs that may or may not be trusted by the operating system, a method of restricting access by the one or more application programs to the one or more type data structures, comprising the acts of: storing one or more type data structures in a memory location; setting one or more permissions in a page table, wherein a first address space is provided no access to the memory location, and is provided read-only access to a shared memory heap; setting one or more different permissions in the page table, wherein a second address space is provided read/write access to the shared memory heap; directing to a component of the second address space any access request by any component of the first address space for the one or more type data structures in the memory location; reviewing the any access request from the any component of the first address space and processing the access request by the component of the second address space to determine that the request is valid; for any request determined to be valid, passing type information corresponding to the validated request into the shard memory heap, wherein one or more application programs can access the type information without accessing type data structures of the operating system; associating a value with type information corresponding to any access request determined to be valid when processed by the component of the second address space; and for any access request determined to be valid, providing the value to the any component in the first address space, wherein the value is accessible to the one or more application programs, wherein the value is associated with the type information in the shared memory heap.

12. The method as recited in claim 11 , wherein the first address space and the second address space are in different memory locations.

13. The method as recited in claim 11 , wherein the different memory locations of the first and second address spaces are different from the memory location in which the type data structures are stored.

14. The method as recited in claim 11 , wherein the any component of the first address space is a user mode component, and the component of the second address space is a kernel mode component.

15. The method as recited in claim 14 , further comprising an act of switching from a user mode runtime to a kernel mode runtime upon receiving the any access request from the any component of the first address space.

16. In a computerized environment including one or more application programs that may or may not be trusted, and an operating system having one or more type data structures, a computer program storage product having computer-executable instructions stored thereon that, when executed, cause one or more processors in a computer system to perform a method comprising: executing one or more application programs in a lower-privilege mode in a first address space associated with one set of permissions; receiving one or more requests from the one or more application programs for type information corresponding to one or more type data structures in a memory location; processing the one or more requests in order to validate at least one request via one or more kernel mode components operating in a second address space associated with a different set of permissions; for the validated request, passing type information corresponding to the validated request into a shared memory heap, wherein the one or more application programs can access the type information without accessing the type data structures of the operating system; and for the validated request, passing a value that is accessible to the one or more application programs, wherein the value is associated with the type information in the shared memory heap.